Hi Chris!
Am 04.08.2011 um 14:46 schrieb chris derham:
> Not sure if this is the correct way to report false positives, but we are
> testing our app works following upgrade to mod_security and to core ruleset
> 2.2.1. We are now hitting a false positive on rule 981244. I believe the
> relevant section of the logs is shown below. Our app needs to login via a
> http call, and it appears that the rule is rejecting the call as it contains
> a parameter "j_username". We have turned the rule off for this particular url
> using a location match shown below which seems to overcome the issue. Is this
> the correct way, or is this really a false positive? Rule says it is trying
> to catch SQL login attempts
>
> <LocationMatch "/secure*">
> SecRuleRemoveById 981244
> </LocationMatch>
That's a reasonable way to exclude rules for specific contexts.
The problem in your request is the password string that has been entered
into the login form (or sent otherwise).
It looks like the string "like" is somehow part of the password as can be
seen by the
... [data "like"] ....
part of the log event you attached.
As "like" is part of the SQL language, this request is flagged as possible
intrusion.
As for the exclusion, your proposed version will exclude that rule for all
requests to /secure/*
You might also consider just removing the parameter 'j_password' from the
rule, which can be done with:
<Location /secure>
#
# Remove rule 981244 from j_password parameter for all /secure/ requests
#
SecRuleUpdateTargetById 981244 !ARGS:j_password
</Location>
Please note, that SecRuleUpdateTargetById is rather new and requires ModSecurity
2.6 (which you obviously have deployed, just mentioning that here for
completeness).
Best regards,
Chris
>
> Thanks for any pointers
>
> Chris
>
> --23480000-B--
> POST /secure/j_acegi_security_check
> HTTP/1.1
> Host: <host name>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
> Firefox/5.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-gb,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Connection: keep-alive
> Referer: http://<host name>/internet/shop
> Cookie: JSESSIONID=872EE0D25BB05A9D8376C67A9808AB18
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 62
>
> --23480000-C--
> j_username=<username>&j_password=<password>
>
> --23480000-F--
> HTTP/1.1 412 Precondition Failed
> Last-Modified: Tue, 25 Jan 2011 18:00:46 GMT
> ETag: "100000002f836-18e-49aaf7eea50aa"
> Accept-Ranges: bytes
> Vary:Accept-Encoding
> Content-Encoding: gzip
> Content-Length: 262
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html
>
> --23480000-H-- Message: Access denied with code 412 (phase 2). Pattern match
> "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
> ..." at ARGS:j_username. [file
> "D:/apps/Apache2.2/conf/modsecurity2/modsecurity-crs_2.2.1/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass
> attempts 1/3"] [data "like"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
> Action: Intercepted (phase 2)
> Stopwatch: 1312456696272672 15001 (- - -)
> Stopwatch2: 1312456696272672 15001; combined=14001, p1=2001, p2=8000, p3=0,
> p4=0, p5=2000, sr=2001, sw=0, l=0, gc=2000
> Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core
> ruleset/2.2.1.
> Server: Apache
> WebApp-Info: "rbge" "-" "-" /); core ruleset/2.1.2. Server: Apache
> WebApp-Info: "rbge" "-" "-"
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
